GPG Key Rotation

GPG, or Gnu Privacy Guard, is a widely-used cryptography tool for secure communication, digital signatures, and file encryption. GPG key rotation is the process of changing your primary GPG key, either for security reasons or for changing the encryption algorithm used in your key.

In this article, we will go through the steps of GPG key rotation, from generating a new key to updating your configuration files and services.

Reasons for GPG Key Rotation

There are two main reasons for changing your GPG key:

1. You want to change the GPG key algorithm: Over time, newer and stronger algorithms may become available and you may want to switch to them for better security. For example, you may want to switch from RSA to ECC (Elliptic Curve Cryptography) which is considered to be more secure and faster.

2. Your key has been compromised: If you suspect that your key has been hacked, you may want to change your key to ensure the security of your communication.

Preparation

Before you start the GPG key rotation process, you should backup your existing key and any associated subkeys. This will allow you to restore your key if something goes wrong during the process.

If you use a smartcard for key storage, you should perform the following additional steps:

1. Create a temporary directory:

   cd $(mkdir -d)
   

2. Create a GPG home directory:

   mkdir gnupg
   

3. Export the GPG home environment variable:

   export GNUPGHOME=$(pwd)/gnupg
   

4. Import the existing key backups:

   gpg --import private.asc
   

This will create a place where you can generate the new keys without interfering with your existing key.

Generating a New GPG Key

Once you have prepared your environment, you can start generating a new GPG key. Here are the steps:

1. Run the following command to generate a new GPG key:

   gpg --full-key-generate
   

2. Select your desired algorithm, for example, ECC.
3. Set an expiration date for the keys. It is recommended to set a reasonable expiration date, such as one or two years, after which you can renew the key by extending the expiration date.
   1. Add your User IDs (UIDs) and any desired subkeys, such as an authentication key.
   2. Edit the key to set the trust to ultimate and use the sign <old key id> command to sign the new key. This step is crucial in the rotation process, as it will allow you to use the new key instead of the old one.

Backup and Revocation

After you have generated the new key, you should perform the following steps to ensure the safety and continuity of your communication:

1. Backup the new and old keys, along with the revocation certificates (which are automatically generated by GPG 2.1).
2. Revoke the old key and make a separate backup for the revoked key.
3. Upload the new and revoked keys to the keyservers with the following command:

   gpg --send-keys <old> <new>
   

Remember to verify any new email on the keyserver.

Conclusion

In conclusion, rotating your GPG key can seem like a daunting task, but with these step-by-step instructions, the process is straightforward and easy to follow. Whether you want to switch to a different algorithm or your key has been compromised, these instructions will guide you through the process of creating a new key and revoking the old one. By following these steps, you can ensure that your communication remains secure and private. So, don’t be intimidated by the thought of key rotation and take the time to follow these steps.